OAuth2 (and any other bearer token protocols) have an issue with potential token misuse, from theft, MITM (man in the middle) and hijacking. Proof of Possession (PoP) is a mechanism to bind a bearer token to a particular user/device, in order to prevent misuse by a 3rd party.
This session discussed user to token binding via PKI.
- Augments traditional OAuth2 token flows
- Requires no changes to existing flows
- AM as an authorization service, will issue "signature" access_tokens
- the access_token becomes specific to the user it is being issued to
- leverages a new claim called the cnf_key (confirmation key)
- this cnf_key is the base64 encoded JWK (JSON Web Key) public key of the requesting client
- token introspection now includes the cnf_key component
- When token is presented to resource server, RS can pull out the cnf_key and use that to generate a challenge-response mechanism
- This CR, would require a response to prove that possession of the corresponding private key
- eg RS encrypts a basic maths question (increment random large number by 1)
- client needs private key to decrypt message - successfully decrypts and sends response signed or encrypted with private key back to RS
- RS can verify private key based response due to having access to public key
- CR mechanisms require more steps
- Challenge response isn't described in specs - many ways to implement
- Not all requests will need to use PoP due to extra hops involved
- Provides an extra security option
Use links:
- RFC 7800 PoP architectures for JWT - https://tools.ietf.org/html/rfc7800
- https://forum.forgerock.com/2016/10/protect-bearer-tokens-using-proof-possession/
- OAuth2 PoP overview in AM - https://backstage.forgerock.com/docs/am/5.1/oauth2-guide/#oauth2-proof-of-possession-overview
- OAuth2 PoP usage in AM - https://backstage.forgerock.com/docs/am/5.1/oauth2-guide/#rest-api-oauth2-proof-of-possession